If you are setting up a secured NiFi Registry instance for the first time, you must
manually designate an "Initial Admin Identity" in the
authorizers.xml file. This initial admin user is granted access
to the UI and given the ability to create additional users, groups, and policies. The
value of this property could be a certificate DN , LDAP identity (DN or username), or a
Kerberos principal. If you are the NiFi Registry administrator, add yourself as the
"Initial Admin Identity".

After you have edited and saved the authorizers.xml file,
restart NiFi Registry. The users.xml and
authorizations.xml files will be created, and the "Initial
Admin Identity" user and administrative policies are added during start up. Once
NiFi Registry starts, the "Initial Admin Identity" user is able to access the
UI and begin managing users, groups, and policies.

If initial NiFi identities are not provided, they can be added through the
UI at a later time by first creating a user for the given NiFi identity, and
then giving that user Proxy permissions, and permission to Buckets/READ in
order to read all buckets.

Here is an example loading users and groups from LDAP. Group membership will be
driven through the member attribute of each group. Authorization will still use file
based access policies.

The Initial Admin Identity value would have loaded from the cn
of the User 1 entry based on the User Identity Attribute
value.

Here is an example composite implementation loading users and groups from LDAP and a
local file. Group membership will be driven through the member attribute of each group.
The users from LDAP will be read only while the users loaded from the file will be
configurable in UI.

In this example, the users and groups are loaded from LDAP but the servers are
managed in a local file. The Initial Admin Identity value came from
an attribute in a LDAP entry based on the User Identity Attribute.
The NiFi Identity values are established in the local file using
the Initial User Identity properties.